Masako Oono

**Name of the Vulnerable Software and Affected Versions** osCommerce versions 2.2MS1J before R9 osCommerce Online Merchant versions prior to 2.3.1 **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. **Recommendations** For osCommerce versions 2.2MS1J before R9, update to R9 or a later version. For osCommerce Online Merchant versions prior to 2.3.1, update to version 2.3.1 or later.

**Name of the Vulnerable Software and Affected Versions** EC-CUBE versions prior to 2.11.0 **Description** A cross-site request forgery (CSRF) issue allows remote attackers to hijack the authentication of victims. The exact vectors used for the attack are not specified. **Recommendations** For versions prior to 2.11.0, update to version 2.11.0 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** C3 Corp. WebCalenderC3 versions 0.32 and earlier **Description** A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. The original researcher is reliable, although the vendor could not reproduce the issue. **Recommendations** For versions 0.32 and earlier, apply the provided patch to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Happy Linux XF-Section module version 1.12a **Description** A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML. The exact vectors used for the injection are not specified. **Recommendations** For Happy Linux XF-Section module version 1.12a, update to a version that fixes this issue, as using older versions poses a significant risk. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: bingo!CMS versions 1.2 and earlier Description: A cross-site request forgery issue allows remote attackers to hijack the authentication of other users for requests that modify configuration or change content. Recommendations: For versions 1.2 and earlier, update to a version later than 1.2 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: Geeklog versions 1.5.0 through 1.5.2 Site Calendar 'mycaljp' plugin versions 2.0.0 through 2.0.6 Description: A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. Recommendations: For Geeklog versions 1.5.0 through 1.5.2, update the Site Calendar 'mycaljp' plugin to a version later than 2.0.6. For Site Calendar 'mycaljp' plugin versions 2.0.0 through 2.0.6, update to a version later than 2.0.6.

Name of the Vulnerable Software and Affected Versions: MT312 IMG-BBS versions prior to 20090521 Description: A cross-site scripting (XSS) issue exists, allowing remote attackers to inject arbitrary web script or HTML via unspecified vectors related to model.php. Recommendations: For MT312 IMG-BBS versions prior to 20090521, update to a version released after 20090521 to resolve the issue.

Name of the Vulnerable Software and Affected Versions: MT312 REP-BBS versions prior to 20090521 Description: A cross-site scripting (XSS) issue allows remote attackers to inject arbitrary web script or HTML. This is related to the `model.php` and `config.php` files. Recommendations: For MT312 REP-BBS versions prior to 20090521, update to a version released after 20090521 to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** piCal versions 0.91h and earlier **Description** The issue allows remote attackers to inject arbitrary web script or HTML via the `event id` parameter in "index.php". This is a cross-site scripting (XSS) issue. **Recommendations** For versions 0.91h and earlier, avoid using the `event id` parameter in the "index.php" endpoint until the issue is resolved. As a temporary workaround, consider restricting access to the vulnerable module to minimize the risk of exploitation.

Name of the Vulnerable Software and Affected Versions: phpMyAdmin versions prior to 2.11.9.2 Description: The issue allows remote attackers to bypass cross-site scripting protection mechanisms and conduct attacks via a NUL byte inside a "</script" sequence when using Internet Explorer. This is due to a problem in the PMA escapeJsString function in libraries/js escape.lib.php. Recommendations: For versions prior to 2.11.9.2, update to version 2.11.9.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the PMA escapeJsString function until a patch is applied.